Data Protection Retention and Disposal Policy
1.1 The Council accumulates a vast amount of information and data during the course of its everyday activities. This includes data generated internally in addition to information obtained from individuals and external organisations. This information is recorded in various different types of document.
1.2 Records created and maintained by the Council are an important asset and as such measures need to be undertaken to safeguard this information. Properly managed records provide authentic and reliable evidence of the Council’s transactions and are necessary to ensure it can demonstrate accountability.
1.3 Documents may be retained in either ‘hard’ paper form or in electronic forms. For the purpose of this policy, ‘document’ and ‘record’ refers to both hard copy and electronic records.
1.4 It is imperative that documents are retained for an adequate period of time. If documents are destroyed prematurely the Council and individual officers concerned could face prosecution for not complying with legislation and it could cause operational difficulties, reputational damage and difficulty in defending any claim brought against the Council.
1.5 In contrast to the above the Council should not retain documents longer than is necessary. Timely disposal should be undertaken to ensure compliance with the General Data Protection Regulations so that personal information is not retained longer than necessary. This will also ensure the most efficient use of limited storage space.
2. Scope and Objectives of the Policy
2.1 The aim of this document is to provide a working framework to determine which documents are:
- Retained – and for how long; or
- Disposed of – and if so by what method.
2.2 There are some records that do not need to be kept at all or that are routinely destroyed in the course of business. This usually applies to information that is duplicated, unimportant or only of a short-term value. Unimportant records of information include:
- ‘With compliments’ slips.
- Catalogues and trade journals.
- Non-acceptance of invitations.
- Trivial electronic mail messages that are not related to Council business.
- Requests for information such as maps, plans or advertising material.
- Out of date distribution lists.
2.3 Duplicated and superseded material such as stationery, manuals, drafts, forms, address books and reference copies of annual reports may be destroyed.
2.4 Records should not be destroyed if the information can be used as evidence to prove that something has happened. If destroyed the disposal needs to be disposed of under the General Data Protection Regulations
3. Roles and Responsibilities for Document Retention and Disposal
3.1 Councils are responsible for determining whether to retain or dispose of documents and should undertake a review of documentation at least on an annual basis to ensure that any unnecessary documentation being held is disposed of under the General Data Protection Regulations.
3.2 Councils should ensure that all employees are aware of the retention/disposal schedule.
4. Document Retention Protocol
4.1 Councils should have in place an adequate system for documenting the activities of their service. This system should consider the legislative and regulatory environments to which they work.
4.2 Records of each activity should be complete and accurate enough to allow employees and their successors to undertake appropriate actions in the context of their responsibilities to:
- Facilitate an audit or examination of the business by anyone so authorised.
- Protect the legal and other rights of the Council, its clients and any other persons affected by its actions.
- Verify individual consent to record, manage and record disposal of their personal data.
- Provide authenticity of the records so that the evidence derived from them is shown to be credible and authoritative.
4.3 To facilitate this the following principles should be adopted:
- Records created and maintained should be arranged in a record-keeping system that will enable quick and easy retrieval of information under the General Data Protection Regulations
- Documents that are no longer required for operational purposes but need retaining should be placed at the records office.
4.4 The retention schedules in Appendix A: List of Documents for Retention or Disposal provide guidance on the recommended minimum retention periods for specific classes of documents and records. These schedules have been compiled from recommended best practice from the Public Records Office, the Records Management Society of Great Britain and in accordance with relevant legislation.
4.5 Whenever there is a possibility of litigation, the records and information that are likely to be affected should not be amended or disposed of until the threat of litigation has been removed.
5. Document Disposal Protocol
5.1 Documents should only be disposed of if reviewed in accordance with the following:
- Is retention required to fulfil statutory or other regulatory requirements?
- Is retention required to meet the operational needs of the service?
- Is retention required to evidence events in the case of dispute?
- Is retention required because the document or record is of historic interest or intrinsic value?
5.2 When documents are scheduled for disposal the method of disposal should be appropriate to the nature and sensitivity of the documents concerned. A record of the disposal will be kept to comply with the General Data Protection Regulations.
5.3 Documents can be disposed of by any of the following methods:
- Non-confidential records: place in wastepaper bin for disposal.
- Confidential records or records giving personal information: shred documents.
- Deletion of computer records.
- Transmission of records to an external body such as the County Records Office.
5.4 The following principles should be followed when disposing of records:
- All records containing personal or confidential information should be destroyed at the end of the retention period. Failure to do so could lead to the Council being prosecuted under the General Data Protection Regulations.
- the Freedom of Information Act or cause reputational damage.
- Where computer records are deleted steps should be taken to ensure that data is ‘virtually impossible to retrieve’ as advised by the Information Commissioner.
- Where documents are of historical interest it may be appropriate that they are transmitted to the County Records office.
- Back-up copies of documents should also be destroyed (including electronic or photographed documents unless specific provisions exist for their disposal).
5.5 Records should be maintained of appropriate disposals. These records should contain the following information:
- The name of the document destroyed.
- The date the document was destroyed.
- The method of disposal.
6. Data Protection Act 1998 – Obligation to Dispose of Certain Data
6.1 The Data Protection Act 1998 (‘Fifth Principle’) requires that personal information must not be retained longer than is necessary for the purpose for which it was originally obtained. Section 1 of the Data Protection Act defines personal information as: Data that relates to a living individual who can be identified:
- from the data, or
- from those data and other information, which is in the possession of, or is likely to come into the possession of the data controller. It includes any expression of opinion about the individual and any indication of the intentions of the Council or other person in respect of the individual.
6.2 The Data Protection Act provides an exemption for information about identifiable living individuals that is held for research, statistical or historical purposes to be held indefinitely provided that the specific requirements are met.
6.3 Councils are responsible for ensuring that they comply with the principles under the General Data Protection Regulations namely:
- Personal data is processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met.
- Personal data shall only be obtained for specific purposes and processed in a compatible manner. • Personal data shall be adequate, relevant, but not excessive.
- Personal data shall be accurate and up to date.
- Personal data shall not be kept for longer than is necessary.
- Personal data shall be processed in accordance with the rights of the data subject.
- Personal data shall be kept secure.
6.4 External storage providers or archivists that are holding Council documents must also comply with the above principles of the General Data Protection Regulations.
7. Scanning of Documents
7.1 In general once a document has been scanned on to a document image system the original becomes redundant. There is no specific legislation covering the format for which local government
records are retained following electronic storage, except for those prescribed by HM Revenue and Customs.
7.2 As a general rule hard copies of scanned documents should be retained for three months after scanning.
7.3 Original documents required for VAT and tax purposes should be retained for six years unless a shorter period has been agreed with HM Revenue and Customs.
8. Review of Document Retention
8.1 It is planned to review, update and where appropriate amend this document on a regular basis (at least every three years in accordance with the Code of Practice on the Management of Records issued by the Lord Chancellor).
8.2 This document has been compiled from various sources of recommended best practice and with reference to the following documents and publications:
- Local Council Administration, Charles Arnold-Baker, 910h edition, Chapter 11
- Local Government Act 1972, sections 225 – 229, section 234
- SLCC Advice Note 316 Retaining Important Documents
- SLCC Clerks’ Manual: Storing Books and Documents
- Lord Chancellor’s Code of Practice on the Management of Records issued under Section 46 of the Freedom of Information Act 2000